The present invention relates to a method of and apparatus for preventing fraudulent access in a conditional access system linked to a subscriber""s receiver/decoder. The technique may be used in the field of data communication where transmitted encrypted data is received and decrypted by, for example, an authorised subscriber""s receivcer/decoder.
The term xe2x80x9creceiver/decoderxe2x80x9d used herein may connote a receiver for receiving either encoded or non-encoded signals, for example, television and/or radio signals. The term may also connote a decoder for decoding received signals. Embodiments of such receiver/decoders may include a decoder integral with the receiver for decoding the received signals, for example, in a xe2x80x9cset-top boxxe2x80x9d or such a decoder functioning in combination with a physically separate receiver.
The receiver/decoder is stated above as being xe2x80x9clinked toxe2x80x9d the conditional access system, which includes the possibilities that the receiver/decoder either forms part of or is separate from the conditional access system.
In particular, but not exclusively, the invention may be used in a mass-market broadcast system having some or all of the following preferred features. It may be an information broadcast system, preferably a radio and/or television broadcast system; it may be a satellite system (although it could be applicable to cable or terrestrial transmission); it may be a digital system, preferably using the MPEG, more preferably the MPEG-2, compression system for data/signal transmission; it may afford the possibility of interactivity; and it may use smartcards. Again, the invention may be used in conjunction with a digital audio visual transmission system. In the context of the present invention the term xe2x80x9cdigital audio visual transmission systemxe2x80x9d refers to all transmission systems for transmitting or broadcasting primarily audio visual or multimedia digital data. Whilst the present invention is particularly applicable to a broadcast digital television system, the present invention may equally be used in filtering data sent by a fixed telecommunications network for multimedia internet applications etc. As used herein, the term xe2x80x9csmartcardxe2x80x9d includes, but not exclusively so, any chip-based card device possessing, for example, microprocessor and/or memory storage. Also included in this term are chip devices having alternative physical forms, for example key-shaped devices such as are often used in TV decoder systems.
The term MPEG refers to the data transmission standards developed by the International Standards Organisation working group xe2x80x9cMotion Pictures Expert Groupxe2x80x9d and in particular but not exclusively the MPEG-2 standard developed for digital television applications and set out in the documents ISO 13818-1, ISO 13818-2, ISO 13818-3 and ISO 13818-4. In the context of the present patent application, the term includes all variants, modifications or developments of MPEG formats applicable to the field of digital data transmission.
An aim of the invention is to provide a data communication method, transmitter and receiver/decoder which can be used to provide data to, for example, subscribers or other buyers of reception rights on a secure basis.
In existing broadcasting systems, a smartcard is used by a subscriber to obtain the reception right and it has been found pursuant to the present invention that there is a problem of preventing misuse of the card to defraud the owner of the rights.
For example, in a known MPEG television subscriber system, the rights of different subscribers or groups of subscribers can be checked centrally, for instance on a monthly basis, and an authorising message can be subsequently sent, from a central station, to each subscriber or group of subscribers to authorise (or to block) use of the rights. Suitably, the authorising message is simply a xe2x80x9c1xe2x80x9d or xe2x80x9c0xe2x80x9d located in different bitmap positions which have been assigned to respective subscriber identities for the month, only the presence of a xe2x80x9c1xe2x80x9d authorising use of the right for the subscriber at the respective bitmap position, a xe2x80x9c0xe2x80x9d denying use of that right. The following problem with this system has been identified pursuant to the present invention. If, for example, the original subscriber ceases payment for the right, after a lapse of time, the system will no longer identify the original subscriber at the previously assigned bitmap position and this position may then be newly assigned to the identity of a xe2x80x9cnewxe2x80x9d subscriber. If the new subscriber has paid for and hence been authorised to use the right, there will be a xe2x80x9c1xe2x80x9d again in the bitmap position. If, at the xe2x80x9coriginalxe2x80x9d subscriber""s receiver/decoder, the decoder is disconnected before the next authorising message can update a linked conditional access system (associated with the xe2x80x9coriginal subscriberxe2x80x9d) and if the decoder is later reconnected (or if a clock is re-set), the xe2x80x9coriginalxe2x80x9d subscriber will then be mistaken for the xe2x80x9cnewxe2x80x9d subscriber who has been authorised to use the right and the xe2x80x9coriginalxe2x80x9d subscriber will thereby fraudulently obtain the right.
The present invention seeks to solve this problem and other similar or related problems where subscriber rights may be granted over periods of time which may depend typically, but not exclusively, on settling accounts. For example, rights may be granted for considerations other than payment where different subscribers can be authorised to use a system to gain access to a secure area, or to secure information, or to some other secure service.
In the context of the present invention the terms xe2x80x9cEMMxe2x80x9d and xe2x80x9cECMxe2x80x9d are utilised.
An Entitlement Management Message or EMM is a message designated to one subscriber or to a group of subscribers. It is usually generated by a subscription authorisation system and is multiplexed with an MPEG-2 stream. It is usually encrypted with a so-called xe2x80x9cmanagementxe2x80x9d key for example for group use. Hence it may be encrypted by a key common to all subscribers in a group of subscribers.
An Entitlement Control Message or ECM is a message sent in relation with one scrambled program. The ECM enables a user to descramble a control word to obtain the right to descramble a television (or similar) programme. A key (termed herein an xe2x80x9cECM keyxe2x80x9d) is passed through the EMM to a subscriber because the smartcard used by the subscriber needs the ECM key to decipher the ECM. The deciphered ECM is used to descramble the control word and hence to descramble the program.
According to one aspect of the present invention there is provided a method of preventing fraudulent access in a conditional access system which is linked to a subscriber""s receiver/decoder for receiving an entitlement management message (EMM) for a group of subscribers to enable said system to provide access for a respective subscriber, the method including the step of:
programming the receiver/decoder only to accept a current EMM of a current calendar period if it has received at least a previous EMM of a previous calendar period.
Hence the problem of preventing fraudulent access can be solved.
The method preferably further comprises the steps of:
transmitting redundant date information with the current EMM; and receiving the current EMM and using redundant date information to check whether said previous EMM has been received.
In a first preferred embodiment, each EMM contains rights date information concerning a current right of access and corresponding check date information concerning a previous right of access, such check date information constituting the redundant date information. This can be a particularly efficient way of putting the invention into practice.
In a second preferred embodiment, the redundant date information is an ECM key of a previous calendar period. This is a convenient alternative way of representing such information.
The subscriber rights may change on a regularly timed basis and the redundant date information may concern an immediately preceding period.
In one illustrative example of the invention, wherein the receiver/decoder is one of a plurality of receiver/decoders in a broadcast system, the subscribers need to have paid for a current month for the right to receive a program or programs and the subscriber rights could change on a monthly basis (since some may not have paid). The bitmap may then be used to indicate the rights for the current month. In this case, when the current EMM is received by the decoder, the redundant date information, e.g. the xe2x80x9cpreviousxe2x80x9d ECM key, would be that of the immediately preceding month. However, it is not essential to have sequential periods, since the xe2x80x9ccurrentxe2x80x9d and xe2x80x9cpreviousxe2x80x9d periods may be non-adjacent in time and there could be irregular amounts of real time between such periods. Typically, nonetheless, the previous EMM is for an immediately preceding calendar period, and the periods are sequential.
When there are changes in subscriber rights, it is preferable to include, in the current EMM, a subscriber bitmap having positions representing subscription rights of the subscribers in the group. However, this is unnecessary in situations where all subscribers are authorised, for example, where all subscribers have paid their subscriptions for the respective calendar period; hence this may only occur when there are changes in subscriber rights.
According to another aspect of the invention, there is provided a transmitter for use in a method of preventing fraudulent access in a conditional access system which is linked to a subscriber""s receiver/decoder for receiving an entitlement management message (EMM) for a group of subscribers to enable said system to provide access for a respective subscriber, the receiver/decoder being programmed only to accept a current EMM of a current calendar period if it has received at least a previous EMM of a previous calendar period, the transmitter including:
means for transmitting redundant date information with a current EMM of a current calendar period so that the redundant date information can be used by the receiver/decoder to check whether said previous EMM has been received.
Each EMM preferably contains rights date information concerning a current right of access and corresponding check date information concerning a previous right of access, such check date information constituting the redundant date information. Alternatively, the redundant date information may be an ECM key of a previous calendar period.
According to another aspect of the invention, there is provided a receiver/decoder for use in a method of preventing fraudulent access in a conditional access system, the receivcer/decoder being linked to the conditional access system and being provided for receiving an entitlement management message (EMM) for a group of subscribers to enable said system to provide access for a respective subscriber, the receiver/decoder including:
means programmed only to accept a current EMM of a current calendar period if it has received at least a previous EMM of a previous calendar period.
Said means may be programmed to check whether said previous EMM has been received by using redundant date information contained in the current EMM.
Each EMM may contain rights date information concerning a current right of access and corresponding check date information concerning a previous right of access, such check date information constituting the redundant date information. Alternatively, the redundant date information may be an ECM key of a previous calendar period.
The invention further provides a receiver/decoder substantially as herein described with reference to and as illustrated in the accompanying drawings.
Although preferred embodiments of the invention relate to a satellite television system, the invention is applicable to other data communication networks including cable networks (not necessarily handling television signals).
Preferred features of the invention are now described below, purely by way of example, with reference to the accompanying drawings, wherein:
FIG. 1 shows the overall architecture of a digital television system;
FIG. 2 shows the overall structure of a smartcard;
FIG. 3 shows the structure of an Entitlement Management Message (EMM) used in the conditional access system;
FIG. 4 shows the structure of an EMM encrypted by a group management key Kg common to all subscribers in a group and is included for illustrating a problem encountered in existing systems;
FIG. 5 shows part of the structure of an EMM encrypted in accordance with the invention;
FIG. 6 illustrates a first preferred embodiment;
FIG. 7 is a flow diagram illustrating the first preferred embodiment; and
FIG. 8 illustrates a further preferred embodiment.